FortuneTeller: Predicting Microarchitectural Attacks via Unsupervised Deep Learning

  • 2019-07-08 14:40:08
  • Berk Gulmezoglu, Ahmad Moghimi, Thomas Eisenbarth, Berk Sunar
  • 16

Abstract

The growing security threat of microarchitectural attacks underlines theimportance of robust security sensors and detection mechanisms at the hardwarelevel. While there are studies on runtime detection of cache attacks, a genericmodel to consider the broad range of existing and future attacks is missing.Unfortunately, previous approaches only consider either a single attackvariant, e.g. Prime+Probe, or specific victim applications such ascryptographic implementations. Furthermore, the state-of-the art anomalydetection methods are based on coarse-grained statistical models, which are notsuccessful to detect anomalies in a large-scale real world systems. Thanks tothe memory capability of advanced Recurrent Neural Networks (RNNs) algorithms,both short and long term dependencies can be learned more accurately.Therefore, we propose FortuneTeller, which for the first time leverages thesuperiority of RNNs to learn complex execution patterns and detects unseenmicroarchitectural attacks in real world systems. FortuneTeller models benignworkload pattern from a microarchitectural standpoint in an unsupervisedfashion, and then, it predicts how upcoming benign executions are supposed tobehave. Potential attacks and malicious behaviors will be detectedautomatically, when there is a discrepancy between the predicted executionpattern and the runtime observation. We implement FortuneTeller based on theavailable hardware performance counters on Intel processors and it is trainedwith 10 million samples obtained from benign applications. For the first time,the latest attacks such as Meltdown, Spectre, Rowhammer and Zombieload aredetected with one trained model and without observing these attacks during thetraining. We show that FortuneTeller achieves F-score of 0.9970.

 

Quick Read (beta)

loading the full paper ...